The Windows Registry location
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the “Debugger” option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings “sethc.exe”, “utilman.exe”, “osk.exe”, “narrator.exe”, and “Magnify.exe” are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.
|Technique||Tactic||Level of Coverage|
|Accessibility Features||Privilege Escalation, Execution, Persistence||Moderate|
One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the
system32 folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set.
process = search Process:Create debuggers = filter process where (command_line match "$.* .*(sethcutilmanosknarratormagnify)\.exe") output debuggers
Test Case 1:
- Configurations: Windows 7
- Description: Although it does not actually utilize the Debugging command line, an easy way to test this analytic to run cmd.exe from a command window, supplying one of the strings as arguments.
This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string “sethc.exe” being used as an argument for another application is unlikely, it still is a possibility.
Data Model References